gcp: Move provisioning of SSH key into separate task

Run the ssh provisioning task before build image task so ansible can ssh
to the node it's creating.

playbooks/gcp/openshift-cluster/build_base_image.yml

@@ -1,6 +1,6 @@
 ---
 # This playbook ensures that a base image is up to date with all of the required settings
-- name: Launch image build instance
+- name: Verify prerequisites for image build
   hosts: localhost
   connection: local
   gather_facts: no
@@ -10,6 +10,21 @@
       msg: "A root OS image name or family is required for base image building.  Please ensure `openshift_gcp_root_image` is defined."
     when: openshift_gcp_root_image is undefined
 
+- name: Provision ssh key
+  hosts: localhost
+  connection: local
+  gather_facts: no
+  tasks:
+  - name: Set up core host GCP configuration
+    import_role:
+      name: openshift_gcp
+      tasks_from: provision_ssh_keys.yml
+
+- name: Launch image build instance
+  hosts: localhost
+  connection: local
+  gather_facts: no
+  tasks:
   - name: Create the image instance disk
     gce_pd:
       service_account_email: "{{ (lookup('file', openshift_gcp_iam_service_account_keyfile ) | from_json ).client_email }}"

playbooks/gcp/openshift-cluster/build_image.yml

@@ -9,6 +9,16 @@
       msg: "A base image name or family is required for image building.  Please ensure `openshift_gcp_base_image` is defined."
     when: openshift_gcp_base_image is undefined
 
+- name: Provision ssh key
+  hosts: localhost
+  connection: local
+  gather_facts: no
+  tasks:
+  - name: Set up core host GCP configuration
+    import_role:
+      name: openshift_gcp
+      tasks_from: provision_ssh_keys.yml
+
 - name: Launch image build instance
   hosts: localhost
   connection: local

roles/openshift_gcp/tasks/main.yml

@@ -30,6 +30,8 @@
   when:
   - state | default('present') == 'present'
 
+- import_tasks: provision_ssh_keys.yml
+
 - name: Provision GCP resources
   command: /tmp/openshift_gcp_provision.sh
   args:

roles/openshift_gcp/tasks/provision_ssh_keys.yml

@@ -0,0 +1,10 @@
+---
+- name: Templatize SSH key provision script
+  template: src=provision_ssh.j2.sh dest=/tmp/openshift_gcp_provision_ssh.sh mode=u+rx
+
+- name: Provision GCP SSH key resources
+  command: /tmp/openshift_gcp_provision_ssh.sh
+  args:
+    chdir: "{{ files_dir }}"
+  when:
+  - state | default('present') == 'present'

roles/openshift_gcp/templates/provision.j2.sh

@@ -2,38 +2,6 @@
 
 set -euo pipefail
 
-if [[ -n "{{ openshift_gcp_ssh_private_key }}" ]]; then
-    # Create SSH key for GCE
-    if [ ! -f "{{ openshift_gcp_ssh_private_key }}" ]; then
-        ssh-keygen -t rsa -f "{{ openshift_gcp_ssh_private_key }}" -C gce-provision-cloud-user -N ''
-        ssh-add "{{ openshift_gcp_ssh_private_key }}" || true
-    fi
-
-    # Check if the public key is in the project metadata, and if not, add it there
-    if [ -f "{{ openshift_gcp_ssh_private_key }}.pub" ]; then
-        pub_file="{{ openshift_gcp_ssh_private_key }}.pub"
-        pub_key=$(cut -d ' ' -f 2 < "{{ openshift_gcp_ssh_private_key }}.pub")
-    else
-        keyfile="${HOME}/.ssh/google_compute_engine"
-        pub_file="${keyfile}.pub"
-        mkdir -p "${HOME}/.ssh"
-        cp "{{ openshift_gcp_ssh_private_key }}" "${keyfile}"
-        chmod 0600 "${keyfile}"
-        ssh-keygen -y -f "${keyfile}" >  "${pub_file}"
-        pub_key=$(cut -d ' ' -f 2 <  "${pub_file}")
-    fi
-    key_tmp_file='/tmp/ocp-gce-keys'
-    if ! gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep -q "$pub_key"; then
-        if gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep -q ssh-rsa; then
-            gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep ssh-rsa | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e 's/value: //' > "$key_tmp_file"
-        fi
-        echo -n 'cloud-user:' >> "$key_tmp_file"
-        cat "${pub_file}" >> "$key_tmp_file"
-        gcloud --project "{{ openshift_gcp_project }}" compute project-info add-metadata --metadata-from-file "sshKeys=${key_tmp_file}"
-        rm -f "$key_tmp_file"
-    fi
-fi
-
 metadata=""
 if [[ -n "{{ openshift_gcp_startup_script_file }}" ]]; then
     if [[ ! -f "{{ openshift_gcp_startup_script_file }}" ]]; then
@@ -314,12 +282,12 @@ done
 ) &
 
 # Create bucket for registry
-( 
+(
 if ! gsutil ls -p "{{ openshift_gcp_project }}" "gs://{{ openshift_gcp_registry_bucket_name }}" &>/dev/null; then
     gsutil mb -p "{{ openshift_gcp_project }}" -l "{{ openshift_gcp_region }}" "gs://{{ openshift_gcp_registry_bucket_name }}"
 else
     echo "Bucket '{{ openshift_gcp_registry_bucket_name }}' already exists"
-fi 
+fi
 ) &
 
 # wait until all node groups are stable

roles/openshift_gcp/templates/provision_ssh.j2.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+set -euo pipefail
+
+if [[ -n "{{ openshift_gcp_ssh_private_key }}" ]]; then
+    # Create SSH key for GCE
+    if [ ! -f "{{ openshift_gcp_ssh_private_key }}" ]; then
+        ssh-keygen -t rsa -f "{{ openshift_gcp_ssh_private_key }}" -C gce-provision-cloud-user -N ''
+        ssh-add "{{ openshift_gcp_ssh_private_key }}" || true
+    fi
+
+    # Check if the public key is in the project metadata, and if not, add it there
+    if [ -f "{{ openshift_gcp_ssh_private_key }}.pub" ]; then
+        pub_file="{{ openshift_gcp_ssh_private_key }}.pub"
+        pub_key=$(cut -d ' ' -f 2 < "{{ openshift_gcp_ssh_private_key }}.pub")
+    else
+        keyfile="${HOME}/.ssh/google_compute_engine"
+        pub_file="${keyfile}.pub"
+        mkdir -p "${HOME}/.ssh"
+        cp "{{ openshift_gcp_ssh_private_key }}" "${keyfile}"
+        chmod 0600 "${keyfile}"
+        ssh-keygen -y -f "${keyfile}" >  "${pub_file}"
+        pub_key=$(cut -d ' ' -f 2 <  "${pub_file}")
+    fi
+    key_tmp_file='/tmp/ocp-gce-keys'
+    if ! gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep -q "$pub_key"; then
+        if gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep -q ssh-rsa; then
+            gcloud --project "{{ openshift_gcp_project }}" compute project-info describe | grep ssh-rsa | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' -e 's/value: //' > "$key_tmp_file"
+        fi
+        echo -n 'cloud-user:' >> "$key_tmp_file"
+        cat "${pub_file}" >> "$key_tmp_file"
+        gcloud --project "{{ openshift_gcp_project }}" compute project-info add-metadata --metadata-from-file "sshKeys=${key_tmp_file}"
+        rm -f "$key_tmp_file"
+    fi
+fi